Even if some powerful adversary would monitor everything going in and out of a VPN server I don't see how that is relevant. As long as whatever happens inside the VPN server is not possible to observe then it would still likely be difficult to determine what traffic belongs to a particular user on some server that sees traffic from several users at the same time. Don't you agree?
It is not that difficult, unfortunately. Simplified case: Let's say there is some major event going on, so that everyone is out in the streets, and only three AirVPN users are online at one particular data center. One is browsing Wikipedia, one is checking gmail, and one is chatting on IRC. As long as all three are not sending and receiving data at the same time, it is trivial for an observer to see that when user A sends data to the AirVPN server, data gets sent on to Wikipedia; and then a webpage comes back, first to the server, and then to user A. (At that point, ask Wikipedia who was logged in.)
That is the simple and unrealistic scenario. In actual use, the adversary would have to use statistical methods to see that, say, 93% of the time user A sends and receives data, data gets sent on to destination X. And the longer you can listen, and the more data you can capture, the more certain you can get. [note]
This is called an "intersection attack", and is a problem for any system that wants to provide both anonymity and real-time response. The extreme case is if the adversary can monitor both your connection to your ISP, and the Internet connection of the service you are using - an intersection attack would work here no matter
what is in between.
So if there is a "global passive adversary" (another known phrase to look up), there is little we can do. But someone who can only operate within a single nation is going to have a bit of trouble if you use a server located in a different country.
note : So if you could save data on all
the time, you could go back and look for patterns later, and expect a high success rate. This is why having all this "metadata" is so interesting for the three-letter agencies..